Hendon Publishing - Article Archive Details

Data Loss Best Practices

Written by Len Gangi

Sound data loss prevention policies are an increasingly important element of an overall security practice that governs the protection of information assets. As the computing tools available to law enforcement officials expand in scope, they will become still more crucial.

The National Institute of Justice has identified high-priority technology needs for the criminal justice field, including the following aimed at enabling informal decision-making: 1) effective and instantaneous, user-transparent, operable and interoperable voice, data and multimedia communications, 2) improved spatial analysis tools and technologies, 3) “Intelligent” automated systems that can predict and deter potential criminal activity by correlating patterns of behavior and anomalies in that behavior from multiple data sources, 4) effective integration and management of sensor systems in law enforcement command and control systems, and 5) automated case management and communications systems that can be used by officers and offenders to track compliance with conditions of release and prompt necessary action.

These high-priority tools will enable practitioners to work and collaborate more effectively. They require, however, scrupulous attention to eliminating new and rapidly evolving security threats. The “informal decision-making” that they permit requires vigilant network security administration and high degrees of user awareness to prevent sensitive data from being exposed. Less-than-adequate network security could allow any endpoint to leak information out—or admit threats into the network.

The Information Security and Crime Prevention Company Checklist published by Interpol contains pertinent questions for all security administrators, particularly those questions about bringing new software and computing devices into the network. Are security requirements included in the demand specification when buying or developing systems? Is a security validation made before introducing new hardware?

Questions like these are important considerations when setting up a data loss prevention plan. The checklist of simple “yes-or-no” questions is designed for distribution by law enforcement officials. They are also useful for checking the security of law enforcement networks.

Protecting sensitive information is one of the most critical processes in any organization. Not having and enforcing a data protection policy creates a clearly unintended Freedom of Information Act—for technically-equipped hackers—in this case punishable by law. On any network, information must be considered in two forms.

First, data in storage. Data at rest is subject to unauthorized access and physical threats, such as theft, fire or water damage. Fortunately, data can be securely backed up and stored off-site relatively inexpensively. Second, data in transit. In order for employees to use network information, it needs to move from where it is stored to the user. These communications channels, and the data that traverses them, should be secure.

In both forms, network information is subject to two types of threat. First, careless users. Even the most conscientious employee can have a bad day, overwrite a backup disk or inadvertently corrupt the server database. The best insurance against user carelessness is good education and automated data backups. Encryption also provides good protection for both data in transit and storage, and is especially useful to protect data that leaves the primary processing facility.

Second, and a worse peril, are malicious users, both inside and outside the network. Angry ex-employees leave with sensitive data for profit or malice. Tech-savvy ones with too many permissions overwrite databases. Hackers sniff on wireless networks and steal unencrypted data from touring laptops.

Given the valuable confidential information on many networks, protecting it from hackers and disgruntled workers is a challenge. Protection requires hardware and software firewalls, assiduous employee education, sound HR policies and judicious limitation on the transfer of data, both through e-mails and onto handheld devices.

Data loss happens under a variety of conditions: 1) an open office environment allows employees seamless access to data, 2) employees e-mail sensitive work files to their personal e-mail addresses or copy them on removable media, 3) telecommuting employees access the department network from remote locations, 4) official e-mail is accessed on a public computer in an unsecured environment, 5) department laptops are used in unsecured public wireless hotspots, 6) mobile devices carrying sensitive department information are misplaced or stolen, and 7) employees maneuver around complacent department security policies to get their work done by disabling anti-virus/firewall programs.

Of course, the information is there to be used. Sometimes it must be e-mailed or stored on a USB key, smartphone or laptop. In that case, protect it from unauthorized access by encrypting it. Encryption uses the computer’s mighty processing power to turn the information in a file into indecipherable gibberish using an algorithm. Typical encrypted information looks something like this:

Only with the proper authorization and “key” can encrypted information be translated back into human- or machine-readable form.

Best Practices for Data Loss Prevention

1.) Create and maintain an information security and data classification policy. Identify and control the handling and storage of proprietary, confidential and sensitive information. Educate users continually.

2.) Have and enforce a data loss prevention policy that includes monitoring and incident handling processes. Be sure you are familiar with breach notification laws, as well as the responsibilities and resources governing your operation.

3.) Give IT professionals the flexibility they need to administer, especially in emergencies. Centralize the command and control of all devices on the network, including those that leave the building. Centralized management allows IT staff to update settings on each device remotely, instead of having to visit each desk, or having to wait until traveling staff bring their computing devices to the home office.

4.) Avoid time-consuming or difficult data loss prevention solutions. Policies requiring too many passwords or difficult-to-remember sequences are policies bound to be thwarted. Make compliance as easy as possible for all users.

Data loss policies must apply to everyone with access to network information. Dr. Henry Wolfe made an unfortunate observation to the 2007 Forum of Incident Response and Security Teams (FIRST) conference: “Security will fail if top management, because of their lofty importance, choose to exempt themselves from applying the secure policies and procedures implemented.

“This is a real life example: a government department has at its head an individual who does not like the idea of being forced to change their password regularly and therefore is exempt from doing so. This, in turn, has allowed the number two in command to also be exempt from changing their password regularly.” Policies must be easy enough for everyone to adhere to—even top brass.

5.) Authenticate, encrypt and minimize sensitive information on traveling devices. Minimize the need for data to travel. Further, encrypt the information to render it useless without proper access. If a flash drive, laptop or other traveling device contains encrypted information, even if it is lost, the data can remain safe.

6.) Encrypt the traveling devices themselves. Traveling devices can be encrypted at the boot level so that even if someone found or stole the laptop, they could not access the operating system. This adds an extra level of security, especially for devices that can connect to networks.

7.) For official devices, encrypt all information with two-factor authentication. The two factors can be something the user “knows,” such as a password; something the user “is,” such as a personal characteristic (e.g., a fingerprint); or something the user “has,” such as a digital file stored either on the computer or on an auxiliary device such as a USB key.

If the digital file is a digital certificate, it is kept on file with the company that issued it (called a certificate authority), such as Comodo CA. If the device is lost or stolen, the IT department can notify the issuing certificate authority. If that certificate authority has an Online Certificate Status Protocol, it can nullify the certificate immediately. If a thief (or even a discharged employee) tries to use the device without permission, the files remain encrypted and unavailable.

While several solutions address the needs of networks in the context of preventing data loss, introduction of best practices ensures that users understand the importance of minimizing the threat of data leaks. Enforcing encryption in official communication, understanding and classifying information, enabling data access on a need-to-know basis, monitoring endpoints for unusual user behavior, and ensuring compliance with security policies, all supported by a robust security infrastructure, go a long way in preventing data loss within the organization. Most importantly, networks require robust firewalls to prevent malware and hacker intrusion.

Comodo Internet Security, with its Default-Deny Protection™ and intelligent heuristics-based firewall, allows IT departments to prevent threats from impacting their networks. When deployed with Comodo Endpoint Security Manager, IT administrators can easily implement and change security settings across the network. This remote administration gives them the strength and nimbleness they need to protect all of their endpoints.

Len Gangi is Vice President of Enterprise Solutions at Comodo in Jersey City, NJ. Mr. Gangi is an ISACA-certified information systems auditor. Katharine Hadow is Manager of Public Relations at Comodo. She may be reached at katharinehadow@comodo.com.